Fix -- Re: Mydoom Virus getting Through
Ken Anderson
ka at PACIFIC.NET
Thu Feb 12 20:27:34 GMT 2004
oops, spoke too soon. It's still broken.
It runs for a minute then stops writing to the log silently. The
processes are still busy exploding thousands of identical copies of
*.txt messages into /var/spool/MailScanner/incoming/12397/i1CKHEAw012250
directories.
The messages are:
msg-12397-2166.txt
msg-12397-2167.txt
msg-12397-2168.txt
msg-12397-2169.txt
etc...
ls | wc
3213 3213 61044
diff msg-12397-2166.txt msg-12397-2167.txt
No diff.
Hope this helps,
Ken A.
Pacific.Net
Ken Anderson wrote:
> patched and restarted with no problems.
> Thanks,
> Ken A.
> Pacific.Net
>
>
> Julian Field wrote:
>
>> Please try this patch instead of the new Message.pm.
>>
>> cd /usr/lib/MailScanner/MailScanner
>> cp Message.pm Message.pm.safe
>> patch -p0 < Message.pm.4.26.5.patch
>> service MailScanner restart
>>
>> If it still fails, set "Debug = yes" in MailScanner.conf, then
>>
>> service MailScanner stop
>> sleep 15
>> check_MailScanner
>>
>> and let me know what it says.
>>
>> At 23:38 11/02/2004, you wrote:
>>
>>> Looking at the log, I see that MailScanner failed to start.
>>> Ken
>>>
>>>
>>> Ken Anderson wrote:
>>>
>>>> I tried installing this Message.pm and restarted MailScanner, but I
>>>> quickly built up a large incoming queue and all exploding in /incoming
>>>> stopped happening. The directory stayed empty after restarting
>>>> MailScanner. I'm not sure what caused it, but things went back to
>>>> normal
>>>> after I put the old Message.pm back. I'm running 4.26.5, perhaps not a
>>>> recent enough version?
>>>> Thanks,
>>>> Ken A
>>>> Pacific.Net
>>>>
>>>>
>>>> Julian Field wrote:
>>>>
>>>>> I have hopefully managed to make the MIME parser a lot more robust. It
>>>>> certainly appears to solve the current problem. If you are running a
>>>>> nice
>>>>> recent version, backup your old Message.pm and replace it with this
>>>>> one.
>>>>>
>>>>> Then please test it against the copies of MyDoom that are getting
>>>>> through.
>>>>>
>>>>> The result of a fine evening spent wading through MIME-tools code and
>>>>> deciding that it can't rewind :-(
>>>>>
>>>>> Let me know how it goes.
>>>>>
>>>>> At 20:37 11/02/2004, you wrote:
>>>>>
>>>>>> Daniel Kleinsinger wrote:
>>>>>>
>>>>>>> Julian Field wrote:
>>>>>>>
>>>>>>>> The message that contained the MyDoom that got through Sophos
>>>>>>>> (before
>>>>>>>> 3.78d) was actually a bounce from another mail server that included
>>>>>>>> the
>>>>>>>> entire text of the original message.
>>>>>>>>
>>>>>>>> Fortunately it's not been a big problem so far, but I would quite
>>>>>>>> like to fix it if I can.
>>>>>>>>
>>>>>>> I'm running Sophos in addition to Trend and F-Prot. Using
>>>>>>> MailWatch I
>>>>>>> checked which virii got caught by which scanner and before
>>>>>>> installing
>>>>>>> 3.78d Sophos was catching a few less MyDoom.A (5-20 of 300-500 total
>>>>>>> MyDoom.A slipped past Sophos everyday). Since installing 3.78d
>>>>>>> (yesterday) Sophos is catching all that Trend and F-Prot are. There
>>>>>>> still seem to be some people having issues with 3.78d, but in my
>>>>>>> case it
>>>>>>> seems like it was a problem with Sophos, not MailScanner.
>>>>>>>
>>>>>>> Daniel
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> I would suggest that this as much an antivirus issue. I run F-prot
>>>>>> and
>>>>>> Antivir and until Antivir updated their engine about a week ago only
>>>>>> F-prot was reliably catching the bounce messages with the original
>>>>>> message attached. With the new engine, all is well again and both are
>>>>>> catching them. Looks like F-Prot had a better message scanning engine
>>>>>> than the others had at the time.
>>>>>>
>>>>>> Drew
>>>>>>
>>>>>> --
>>>>>> In line with our policy, this message has
>>>>>> been scanned for viruses and dangerous
>>>>>> content by MailScanner, and is believed to be clean.
>>>>>> www.themarshalls.co.uk/policy
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Julian Field
>>>>> www.MailScanner.info
>>>>> Professional Support Services at www.MailScanner.biz
>>>>> MailScanner thanks transtec Computers for their support
>>>>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>>>
>>>>
>>>>
>>>>
>> --
>> Julian Field
>> www.MailScanner.info
>> MailScanner thanks transtec Computers for their support
>>
>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
>
>
More information about the MailScanner
mailing list